Setting Up Two Factor Authentication - One Time Password Sent Through E-mail

If you choose this option, after the first level of authentication through the usual way, Password Manager Pro will randomly generate a unique password and it will be emailed to the user. The user has to enter the password sent by email to authenticate at the second level. The second level password generated and sent by Password Manager Pro is applicable only for that particular session of the web-interface. If the user logs out and tries to log in again, they will not be allowed to log in with the same password sent by email earlier. The user has to fetch the password sent by email again and enter it for authentication.

Summary of steps:

Configuring two factor authentication in Password Manager Pro.

Enforcing two factor authentication for required users.

Step 1: Configuring two factor authentication in Password Manager Pro

Navigate to Admin >> Authentication >> Two-factor Authentication.

Choose the option "One-time password sent through email".

Click "Save".

Note: When this TFA is enabled and saved, user selection box automatically opens. Confirm the list of enabled users and then click "Save".

Step 2: Enforcing two-factor authentication for required users

In Step 1 above, you have chosen 'One time password sent through e-mail' for two factor authentication. Now, you need to activate two-factor authentication for the required users.

To enforce two-factor authentication for a user,

Navigate to "Users" tab. Select the desired users for whom two-factor authentication is to be activated.

Next, click on "More Actions" button at the top of the users list and select "Set Two-factor Authentication" from the dropdown.

In the UI that opens, confirm the list of your selected users one more time.

Once you're done, click "Enable" to activate TFA for the desired users. Now, TFA via one-time password sent through email has been enforced.

How to connect to Password Manager Pro web interface when TFA is enabled?

The users for whom two factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through Password Manager Pro's local authentication or AD/LDAP/Azure AD authentication. If the administrator has chosen the TFA option "One time password sent through email", the two factor authentication will happen as detailed below:

Upon launching the Password Manager Pro web-interface, the user has to enter the username and local authentication or AD/LDAP/Azure AD password to log in to Password Manager Pro and click "Login".

Once the first level of authentication succeeds, Password Manager Pro will generate a random password and email it to the user.

The user has to fetch the password from the email and enter it as the second password.

If the second authentication succeeds, the user will be allowed to view the Password Manager Pro web interface.

Note: The second level password generated and sent by Password Manager Pro is applicable only for that particular session of the web-interface. If the user logs out and tries to log in again, they will not be allowed to log in with the same password sent by email earlier. When the user logs in again, another new password will be sent to their email which they must use for authentication.

Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password or RADIUS or Duo) AND if you have configured high availability, you need to restart the Password Manager Pro secondary server once.